RMCP support
Vernon Mauery
vernon.mauery at linux.intel.com
Sat Sep 14 04:41:08 AEST 2019
On 13-Sep-2019 10:50 AM, Alexander Amelkin wrote:
> 11.09.2019 20:31, Vernon Mauery wrote:
> > On 11-Sep-2019 05:27 AM, Neeraj Ladkani wrote:
> >> Is there any plan to add RMCP support in IPMI LAN stack ?
> > There are no plans for adding RMCP support. RMCP is horribly insecure;
> > even more insecure than the least secure RMCP+ cipher suites (not
> > counting cipher suite 0, which should not even be a thing.)
> >
> > Not implementing RMCP was an intentional choice. RMCP+ is insecure,
> > especially with passwords shorter than 8 (as shown by Rick Altherr's
> > OSFC 2019 presentation). It is recommended that RMCP+ is only used with
> > cipher suite 17 and maximum length passwords (20 characters). Ideally,
> > it would not be used at all, preferring Redfish, which uses modern
> > crypto.
> >
> > Every open source IPMI utility out there supports RMCP+. That should be
> > used instead of RMCP.
>
> What about RMCP pings used for device discovery as described in section 13.13 of
> IPMI specification?
I don't have any problem in particular with RMCP Ping, but it is not
implemented. It is not required by RMCP+ as far as I can tell. The spec
calls out that is *is* required for RMCP, and can be implemented for
RMCP+.
> AFAIK, it's not supported in OpenBMC and so `ipmiutil discover` fails to
> discover OpenBMC devices.
>From what I can tell, the spec suggests that you send a Get Channel
Authentication Capabilities request to discover RMCP+ devices.
--Vernon
More information about the openbmc
mailing list